I think that’s what he’s saying. I’ve been helping self hosters since 2017, some of whom have been very irresponsible (like upgrading nothing for years). Since I make a good part of my living supporting self hosters, I of course have a different opinion.
The only problem I’ve seen with security was with an admin who was doing stuff like hiding elements with css in a theme component and then charging to “fix” it. He also did a Post.destroy_all at the rails console and, well, destroyed a lot of posts. (I managed to restore at least most of them from a backup.) I’m not aware of anyone having a database stolen (except by someone who was paid to have access to the database).
Discourse does a remarkable job at security. Running wordpress is much more dangerous than running discourse. I don’t think anyone should do that.